Ireland Data Protection Commission Fines WhatsApp Ireland $266 Million for GDPR Transparency Violations

On September 2, 2021, Ireland’s Data Protection Commission (“DPC”) announced that it would fine WhatsApp Ireland (“WhatsApp”) €225 million ($266 million) for its failure to meet the General Data Protection Regulation’s (“GDPR”) transparency requirements as set forth in Articles 12-14. The investigation of WhatsApp began after the DPC received complaints from individuals regarding WhatsApp’s data processing activities and a mutual assistance request from the German Federal Data Protection Authority about WhatsApp’s compliance with EU data protection law. The investigation focused on whether WhatsApp, which was acquired by Facebook in 2014, complied with its transparency obligations under Articles 12-14 of the GDPR, particularly regarding the sharing and processing of…


Belgian Data Protection Authority Imposes Fines on Non-Profit Organization

In a decision issued on May 29, 2020, the Belgian data protection authority (DPA) turned its attention to the practices of non-profit organizations when it imposed a fine for violations of the EU’s General Data Protection Regulation (GDPR).  The DPA’s decision responded to an individual who complained that he continued to receive promotional materials from the organization after he had objected to the processing of his contact details for direct marketing. He had also requested that the organization delete his data from its database. The DPA stated that under the GDPR, unsolicited postal communications sent by non-profit organizations to promote their services and to fundraise qualify as “direct…


Poland Imposes Fines for Web-Scraping of Personal Data When Notification to Individuals Did Not Occur

Poland’s data protection agency issued its first fine under the EU’s General Data Protection Regulation (GDPR), imposing a 220,000 euro fine to Bisnode, a European digital marketing company headquartered in Sweden. The Poland Personal Data Protection Office (UODO) determined that the company had failed to inform individuals that it was processing their data after scraping that data from websites. Notification is required under Article 14. In addition to the fine, UODO required Bisnode to contact the nearly six million people it had not already contacted as required by the GDPR and gave the company three months to comply with the order. Article 14 obligates data controllers to inform…


Framework for GDPR Fines Published by the Dutch Authorities

The Dutch Data Protection Authority (AP) has announced a new policy for determining the fines to be imposed for violations of the General Data Protection Regulation (GDPR) and its national implementing act. The AP’s assessment will first take into account the maximum amounts specified by the European Regulation: either 10 million euros or 2% of the annual worldwide turnover, or 20 million euros or 4% of the annual worldwide turnover, depending on the violation incurred. Violations that are subject to fines are divided into three or four categories designed by the data protection authority to take into account the weight of the breached requirements, with each assigned a…

  • 1
  • 2